ERROR: self signed certificate

Questions
1

Hi,

I have the following setup:

  1. server with Virtualmin which hosts PHP applications through the Apache web server
  2. n8n instance installed with npm
  3. virtual website which allows me to access n8n using subdomian
  4. SSL certificate provided by Virtualmin for the n8n subdomain

When I start n8n normally with “n8n start”, I can access n8n dashboard without any issues using my subdomain with HTTPS

https://n8n.domain

In this case, if I try to execute “IMAP Email” node, I get the following error

image
image930×521 31.7 KB

If I stop n8n and export NODE_TLS_REJECT_UNAUTHORIZED=0 variable with
export NODE_TLS_REJECT_UNAUTHORIZED=0

and then start n8n again, I can execute “IMAP Email” without any errors

Can you point me into the right direction here how to solve this without accepting self signed SSL certificates?

I even tried to add certificate (from the domain configuration) to n8n using the following variables
N8N_SSL_CERT
N8N_SSL_KEY

This doesn’t help

Thank you guys in advance!

Regards,
Igor

1 Like
2

Am I really the only one to use n8n and apache as a proxy in the combination?

3

Sadly no experience with Virtualmin and Apache. Also not sure if that is the main problem here as it almost looks like something lower level in Node.js. But also not much experience there. For that reason can I sadly not be of much help here. Sorry!

4

Hi,

I think that you will have to tackle on this because it comes from n8n

node --trace-warnings /usr/bin/n8n
n8n ready on 0.0.0.0, port 5678
Version: 0.74.0

================================
Start Active Workflows:
================================
- Arburoža
ADD ID (active): 1
(node:12687) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
at getAllowUnauthorized (internal/options.js:21:13)
at Object.connect (_tls_wrap.js:1561:29)
at Connection.connect (/usr/lib/node_modules/n8n/node_modules/imap/lib/Connection.js:128:22)
at /usr/lib/node_modules/n8n/node_modules/imap-simple/lib/imapSimple.js:584:14
at new Promise (<anonymous>)
at Object.connect (/usr/lib/node_modules/n8n/node_modules/imap-simple/lib/imapSimple.js:532:12)
at Object.trigger (/usr/lib/node_modules/n8n/node_modules/n8n-nodes-base/dist/nodes/EmailReadImap.node.js:211:42)
at Workflow.runTrigger (/usr/lib/node_modules/n8n/node_modules/n8n-workflow/dist/src/Workflow.js:498:37)
at ActiveWorkflows.add (/usr/lib/node_modules/n8n/node_modules/n8n-core/dist/src/ActiveWorkflows.js:24:46)
at ActiveWorkflowRunner.add (/usr/lib/node_modules/n8n/dist/src/ActiveWorkflowRunner.js:240:44)
 => Started
- Slobodna djelatnost - uplate
ADD ID (active): 2
 => Started

Editor is now accessible via:
https://localhost:5678/

Press "o" to open in Browser.
(node:12687) UnhandledPromiseRejectionWarning: Error: Got 0 parts, should get 1
at /usr/lib/node_modules/n8n/node_modules/imap-simple/lib/imapSimple.js:206:28
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at emitUnhandledRejectionWarning (internal/process/promises.js:168:15)
at processPromiseRejections (internal/process/promises.js:247:11)
at processTicksAndRejections (internal/process/task_queues.js:94:32)
(node:12687) Error: Got 0 parts, should get 1
at /usr/lib/node_modules/n8n/node_modules/imap-simple/lib/imapSimple.js:206:28
at processTicksAndRejections (internal/process/task_queues.js:93:5)
(node:12687) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
at emitDeprecationWarning (internal/process/promises.js:180:11)
at processPromiseRejections (internal/process/promises.js:249:13)
at processTicksAndRejections (internal/process/task_queues.js:94:32)

Regards,
Igor

5

Sorry, but I really do not like the sounds of that. I literally do not have to. n8n gets offered totally for free and all support we and I personally give is because we want to and we care about the community and our users very much. I also think we offer a very fast and good support. It is for example currently 9:10 p.m. Friday as I write this, I could also spend this time right now with my wife and children instead but instead, I am sitting here and answer your question. Anyway, us doing that is not because we HAVE TO it is because we WANT TO! We would only have to if we would get paid and there would be some kind of contract in place, which is not the case here.

Now why we can not look into your problem:
We can simply not invest hours in every edge case and support all possible combinations of operating systems, proxies, setups and whatever else. It is not like we have a team of 100 developers and support people sitting around. Our team is incredibly small. If we would do that, we would not get anything else done anymore. We have to prioritize and if I have to choose right now between investing 5h+ of developer time in debugging one edge case that literally one person has right now or add an integration to a service which many people are waiting for, it is honestly not a hard decision. We are a very small startup and we have to prioritize and say “no” a lot if we want to be sure to still be around tomorrow. I hope you understand that. We do not do that because we are lazy and we do not want to help, it is simply because we do not have the resources. Even if you look at the amount of issues we are not able to resolve (“will not fix” like this one) to the ones we do, and then compare that with some huge tech companies like Google, we are still doing pretty well.

And now to your problem:
Both of the error messages are thrown in a module n8n uses under the hood. The “imap-simple” and the “imap” one. We did not write any of those ourselves. We only use them in our code.

So there are multiple possibilities what the reason for that errors are:

  1. We use the modules wrong or messed something else up
  2. One of the modules has a bug
  3. The service you connect to does something strange
  4. Your setup is causing the problem
  5. ??? Probably even more things

I have no idea which one it is. In this case, it would sadly really be on you as part of the community and the person having that problem to:

  1. Fix it yourself
  2. Pay someone to fix it for you, if you can not do it yourself
  3. Use our server setup guide and see if it also happens there and then report back
  4. In the very worst case use another project which does not have that problem

I hope that all makes sense!

2 Likes
6

Hi,

I honestly don’t understand how did you understand my previous message as an attack on you or your team. I wasn’t’ disrespectful in any word I said.

Your reaction is truly completely unexpected, out of proportion and is something I would never do to someone that is trying to help me, no matter what kind of help that was.

I just provided a debug output which can or could provide some helpful information about the issue that I experience. I literally provided that because I like your product, understand that you are start-up and that you need help as much as you can get from the community. I don’t want to use other product because I like yours. Just because of that I wanted to help you.

My help is not much I guess but I would accept it if I would have this kind of start-up. Or at least would thank the person who gave me any additional information that could help me to resolve the problem.

I didn’t say that you will HAVE TO do this, just because I reported it. I merely suggested that it looks like something in the code is creating the issue. You can see from my other topics that I am not a developer, but I am trying to get to know your product.

Your could just say, that the issue is happening in other module, which you didn’t write and that would be the end of this case.

Anyway, I will report the problem to the developer of that 3rd party module so we will see what will he/they reply back

Regards,
Igor

7

I did not see your message as an attack at all. Sorry if my answer suggested otherwise. I only wanted to make clear that I do not like it if people suggest they are entitled to free support for a free product which seems to be more and more the case in open-source (and fair-code). Your words “you will have to” it sounded for me as one of those cases. If it was not meant that way, then I am really sorry but “you will have to” sounds simply incredibly demanding, not friendly, and simply like we “HAVE TO” as that were the exact words used.

Anyway, I am very glad to hear that you did not mean it like that at all!

I still suggest you to do as I suggested as “3”. To see if the same happens when setting up n8n according to our server setup guide. You can get a new Digital Ocean (or whatever) server, follow the steps, see if it works then, and then delete it again.
If it does work there then we know that your setup is the issue, if not, then we know that the problem is in the module or n8n.

8

It certainly didn’t mean to demand a support from you. I know that your application is open source and that you can’t provide free support to everyone asking for it

My words “you will have to” just implied that, if you plan to offer a hosting solution, which I believe you do plan, you will have a situation where you will provide service behind some kind of proxy. In that case, I am guessing you will encounter this problem. That is why I wrote that “you will have to”

Anyway, I have asked guys who wrote “imap-simple” module to see if they will have some ideas how to solve this

Regards,
Igor

9

Thanks a lot for explaining! Then sorry, understood you then totally wrong!

Btw. we are not “OSI approved open-source”:

1 Like
10

Hi,

I am happy that we have come to the same path and that we are friends again :wink:

Working as a part time freelance support person for various companies during the years thought me a valuable lesson. In case you see someone is “demanding something” or at least it sounds like he does, try to find and learn all the facts first before jumping to conclusions too soon.

I am very well aware that working in a start-up can be very demanding and frustrating, with lots of decisions that you need to make, lots of prioritization, and putting away things that sounds good for a product that already have some stability but would mean a lot of effort in the beginning. Please try to keep calm and don’t burn-out on things like this :blush:

You have a good product with nice future if I can judge from what I saw so far

I am really trying to understand it in deep. This forced me to look around for JS tutorials which would help me to use it in a better way. In my very limited knowledge of JS, I managed to produce something like this

image
image1758×541 76.7 KB

That workflow is just a tip of an iceberg of the flow which I plan to create in the end. Just waiting for a better GMail node :wink: Current “EmailReadImap” is limited and you can’t do things specific to GMail (labels, moving of emails etc). I know that new GMail node is WIP and I am waiting patiently

I know that you are not “OSI approved open-source”. I saw your licence explanation

Regards,
Igor

1 Like
11

Hi @mihha!

When you have time, could you could direct message me the additional functionality you’d want in a Gmail node? I work on product design for n8n, so such a list would be very helpful.

I can’t guarantee that we’ll add this functionality of course, but there is a good chance we’d want to add things like ability to categorize emails in future (current V1 is being tested at the moment, from a quick check it does look like it has support to add labels).

12

@maxT

Direct message sent. If you want, we can discuss this further

Regards,
Igor

13

BTW, @jan, I was able to work this out

Now, I have the following setup which is working correctly with signed certificate from LetsEncrypt

  1. subdomain and website created using Virtualmin
  2. subdomain is using HTTPS
  3. n8n instance installed with npm
  4. SSL certificate provided by Virtualmin (from LetsEncrypt) which is working on the subdomain

I had to create the following combination of environment variables

export N8N_PROTOCOL=https
export VUE_APP_URL_BASE_API=“https://n8n.domain/
export N8N_BASIC_AUTH_ACTIVE=true
export N8N_BASIC_AUTH_USER=myhiddenuser
export N8N_BASIC_AUTH_PASSWORD=myhiddenpassword
export WEBHOOK_TUNNEL_URL=“https://n8n.domain/

My error in initial attempt was a combination of two things:

  1. using variable N8N_HOST=n8n.domain. Since the host is actually localhost in this case and Apache is serving a content from localhost when you access this subdomain from the internet, N8N_HOST variable shouldn’t be set

  2. I am using pm2 process manager for node. I wasn’t aware that when you create a process using that manager, stop the process, change some variables and then start the process again, pm2 actually saves the variables, instead of using new values. You have to delete a process and then create it with new variables active in order to change them for the process

Anyway, I have a fully working n8n application, which is using LetsEncrypt certificate, is accessible from the internet without a tunnel and is sitting behind a proxy

Regards,
Igor

1 Like
14

That is great to hear @mihha that it works now!

Also thanks a lot for the write up! I am sure it will be very helpful for other people in the future which face the same or similar problem. Esp. interesting to hear how pm2 handles processes. Has a lot of potential to waist hours of debugging something.

15

I was also able to run into this error and I also manged to bring n8n into a boot loop with the IMAP Email Read Node. I got a similiar setup like the TO with a nginx reverse proxy in front, which is working fine normally. I also removed the N8N_Host env but it kept restarting.

I don’t know exactly what the problem is but at least I can offer a solution when someone else runs into such a boot loop where the docker container keeps restarting. This is also still happening after recreating the container so you have to manually change files to stop the IMAP Read Node function.

The main problem was - which one should not do: activate the workflow to production while there is an error accuring. Tthe error made the docker container force restarting after 5 seconds. In the end I did the following:

Search for the

/var/lib/docker/overlay2/------------containerID------------/diff/usr/local/lib/node_modules/n8n/node_modules/imap/lib/Connection.js

file on the host computer for example with this command find / -name "Connection.js - attention there are several files, you need to choose the right one.

When you got the right one I did the following - Do not copy/paste the commands! You need to manually find your corresonding file depending on your container id:

// Stop the docker container, in my case:
docker stop n8n_n8n_1
// Make a backup of the Connection.js
cp Path to your container/diff/usr/local/lib/node_modules/n8n/node_modules/imap/lib/Connection.js Path to your container/diff/usr/local/lib/node_modules/n8n/node_modules/imap/lib/Connection.js.bkk
// Empty the file -> dont delete it, it has to be there
touch > /usr/local/lib/node_modules/n8n/node_modules/imap/lib/Connection.js 
// Start the docker container again
docker start n8n_n8n_1

n8n should start again and you can turn of the corresponding workflow which is responsible for the error (in my case the IMAP Read Email Node/workflow).

After this you should stop the container again and move the Connection.js.bkk back to it’s normal place. Other option would be after deactivating the Workflow/Node to stop the container, remove it and rebuild it.

At this point I didn’t find out why it is happening but it seems to be a gmail problem. Will look into it after work.

Edit:
The IMAP Node doesn’t seem to work with gmail at my end. Can someone test this on his side? When using a private mail account/domain the node is working proberly. Also changing the google settings to allow unsecure apps/login methods does not help in this case. Perhaps it’s something with the reverse proxy? Docker error logs look like this:

Error [ERR_STREAM_DESTROYED]: Cannot call write after a stream was destroyed
    at doWrite (_stream_writable.js:399:19)
    at clearBuffer (_stream_writable.js:542:7)
    at Socket.Writable.uncork (_stream_writable.js:338:7)
    at JSStreamSocket.doWrite (internal/js_stream_socket.js:176:17)
    at JSStream.onwrite (internal/js_stream_socket.js:33:57)
    at Socket.ondata (internal/js_stream_socket.js:77:22)
    at Socket.emit (events.js:314:20)
    at addChunk (_stream_readable.js:298:12)
    at readableAddChunk (_stream_readable.js:273:9)
    at Socket.Readable.push (_stream_readable.js:214:10)
Emitted 'error' event on TLSSocket instance at:
    at TLSSocket._emitTLSError (_tls_wrap.js:893:10)
    at JSStreamSocket.<anonymous> (_tls_wrap.js:813:36)
    at JSStreamSocket.emit (events.js:314:20)
    at Socket.<anonymous> (internal/js_stream_socket.js:63:38)
    at Socket.emit (events.js:314:20)
    at errorOrDestroy (internal/streams/destroy.js:108:12)
    at onwriteError (_stream_writable.js:418:5)
    at onwrite (_stream_writable.js:445:5)
    at doWrite (_stream_writable.js:399:11)
    at clearBuffer (_stream_writable.js:542:7) {
  code: 'ERR_STREAM_DESTROYED'
}

parts of docker-compose:

    ports:
      - "127.0.0.1:5678:5678"
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER
      - N8N_BASIC_AUTH_PASSWORD
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - VUE_APP_URL_BASE_API=https://xxx.domain.com/
      - WEBHOOK_TUNNEL_URL=https://xxx.domain.com/

.env:

DATA_FOLDER=/var/n8n/
DOMAIN_NAME=domain.com
SUBDOMAIN=xxx
N8N_BASIC_AUTH_USER=xxx
N8N_BASIC_AUTH_PASSWORD=xxxx
GENERIC_TIMEZONE=Europe/Berlin

@jan I found a workaround to make gmail accounts work. Perhaps it’s possible to add this tlsOption which i manually added to the Connection.js to the chooseable options in the webUI.

I added the following to the tlsOptions, line 119:

// old code
        tlsOptions = {};
// new code
        tlsOptions = { rejectUnauthorized: false };

Edit: it is working! for gmail and private accounts. just remember to lower the gmail login security and allow login by unsecure apps.

16

@mihha, Hi I am using npm too when installing n8n. Faced a problem with configuring n8n on a subdomain with an SSL certificate https://n8n.domain.ru
The VPS server has the following installed:

  1. Ubuntu 20.04
  2. NPM
  3. Apache2
  4. N8N
  5. Certbot used to get SSL certificate
    Then, using the BASH script: Monosnap I run n8n: Monosnap and get the result: Monosnap But when you open a secure connection it doesn’t work: https: / /take.ms/D3qfI
    The main goal is for n8n to work at the address: https://n8n.domain.ru
    Can you share your correct server settings? Or tell me what exactly needs to be changed in my settings?
    This is my first time setting up n8n on a VPS server, so I have no experience. I would be very grateful if you can help with the server settings.
17

Hey @Faha,

The common approach would be to use your web server as a reverse proxy and handle the SSL/TLS handshake at that point.

For Apache it would be something like making sure mod proxy is enabled then making a new virtual host that is something like…

Listen 443

NameVirtualHost n8n.domain.ru:443
<VirtualHost n8n.domain.ru:443>

    SSLEngine On

    SSLCertificateFile /path/to/your_domain_name.crt
    SSLCertificateKeyFile /path/to/your_private.key

    ProxyPass / http://127.0.0.1:5678/
    ProxyPassReverse / http://127.0.0.1:5678/

</VirtualHost>

It may be worth making a new post as you are not using a self signed cert.

1 Like
18

Does not work

19

Do you get an error when trying? Do you use Apache for anything else? Fancy opening a new thread?

20

I solved the problem, your advice helped. thanks

1 Like